THE GEOMORPHIC VIEW OF NETWORKING: AN ABSTRACT MODEL OF NETWORK - - PowerPoint PPT Presentation

Pamela Zave AT&T Laboratories—Research Florham Park, New Jersey, USA Jennifer Rexford Princeton University Princeton, New Jersey, USA

THE GEOMORPHIC VIEW OF NETWORKING: AN ABSTRACT MODEL OF NETWORK ARCHITECTURE

THE “CLASSIC” INTERNET ARCHITECTURE

APPLICATION LAYER TRANSPORT LAYER NETWORK LAYER LINK LAYER PHYSICAL LAYER this architecture has succeeded (beyond most peoples’ wildest dreams) in fostering innovation and shaping the world we live in however, it is now widely agreed that it does not meet society’s present and future requirements security dependability mobility scalability quality of service resource management the trend is toward a more pluralistic architecture . . . . . . with multiple, customized protocol stacks

A REAL EXAMPLE

headers in a typical AT&T packet (12 instead of 4) Application HTTP TCP IP IPsec IP GTP UDP IP MPLS MPLS Ethernet multiple layers of resource management cellular service (mobility, QoS, billing) security HTTP being used as a transport protocol because it is the only way to traverse NAT boxes and firewalls 15 + load-balancing algorithms

• perate on this packet, most of

them understood and tested only in isolation!

WHAT IS NEEDED FOR THE PLURALISTIC INTERNET?

Application HTTP TCP IP IPsec IP GTP UDP IP MPLS MPLS Ethernet COMMUNICATION SERVICES SOFTWARE DEVELOPMENT we need . . . a broader range of services security and resource policies appropriate to each application . . . so that all applications can be developed easily and run efficiently we need to develop all this custom software rapidly and correctly, through code generation and re-use we need design principles that enable us to manage complexity, ensure robustness, and predict global behavior NETWORK MANAGEMENT

A NECESSARY FIRST STEP

AN ABSTRACT MODEL OF NETWORK ARCHITECTURE . . . . . . would enable us to describe networks, protocols, and other solution mechanisms . . . . . . in a way that is . . . simple modular unique formalizable comprehensive . . . so that all the ideas and artifacts of networking can be compared and composed

OUTLINE

1 2 3

THE “GEOMORPHIC VIEW”: AN ABSTRACT MODEL OF NETWORK ARCHITECTURE

“

THE GEOMORPHIC VIEW OF MOBILITY Understanding mobility Comparing existing mobility protocols Generating and composing new mobility mechanisms BEYOND MOBILITY: FUTURE WORK

a b c

THE GEOMORPHIC VIEW OF NETWORKING CLASSIC LAYERS OR OSI REFERENCE MODEL

there is a fixed number of levels there can be any number of levels each layer/level has a specialized function each layer is a microcosm of networking, containing all the basic components (state components and mechanisms) the scope of each layer is global, so layer = level some layers have small or local scopes

A NEW LAYER MODEL: MEMBERS, ROUTING, AND FORWARDING

E D B A C LAYER member a process, which is merely a locus of state and control with the potential for autonomous action unique and persistent within the layer name link a communication channel forwarding protocol enables members to send messages to one another, using the links routes

• ften there is not a link between every pair of members;

routes tell the forwarding protocol how to reach one member from another over the existing links, with forwarding by intermediate members routing algorithm maintains the routes as links change over time

e d b a

A NEW LAYER MODEL: COMMUNICATION SERVICES

channel an instance of a communication service session protocol implements an end-to-end communication service,

• n top of the basic, fundamentally unreliable,

message delivery provided by the forwarding protocol link session a communication channel (as are links) LAYER session from the perspective of one layer, sessions are more convenient than links they have longer reach; might be more reliable, better-behaved (with FIFO delivery), with guaranteed performance, etc.

e d b a

A NEW LAYER MODEL: THE “USES” HIERARCHY

session E A link OVERLAY (higher layer) UNDERLAY (lower layer) when an overlay uses an underlay, a link in the overlay is implemented by a session in the underlay registration relates an overlay member to the underlay member that it is using on the same machine members on the same machine communicate reliably through its operating system to set up this link/session: A sends request to a a looks up registration of E, finds e a sends request to e e sends request to E 1 2 3 4

A NEW LAYER MODEL: THE MAJOR COMPONENTS

STATE PROTOCOLS ALGORITHMS can be centralized

• r distributed

across the members in any way members attachments locations sessions links routes session protocol forwarding protocol where members are registered in underlays registrations

• f overlay

members in this layer member algorithm attachment algorithm location algorithm link algorithm routing algorithm

• r, the

“data plane”

• r, the

“control plane”

A NEW LAYER MODEL: SCOPE AND LEVEL

APPLICATION LAYERS INTERNET CORE (IP, TCP, UDP) LANs application process IP interface

• f machine

Ethernet interface layers are arranged in a “uses” hierarchy, which defines levels the scope of a layer is the set or class

• f processes that could be members

gateway this describes the classic Internet architecture in terms of the new layer model or “geomorphic view” 1 1 2 2

WE CALL THIS THE “GEOMORPHIC VIEW” OF NETWORKING . . .

. . . BECAUSE THE COMPLEX ARRANGEMENT OF LAYERS RESEMBLES THE EARTH’S CRUST

HOW THE GEOMORPHIC VIEW IS DIFFERENT FROM SDN

The geomorphic view modularizes the complexity of real networks, spreading it out

• ver multiple, relatively simple

layers. The way that SDN has been described so far, all the action is stuffed into a single, large network layer. Even if the implementation looks like this, the geomorphic view is a better abstraction for understanding the requirements that the implementation should satisfy.

OUTLINE

1 2 3

THE “GEOMORPHIC VIEW”: AN ABSTRACT MODEL OF NETWORK ARCHITECTURE

“

THE GEOMORPHIC VIEW OF MOBILITY Understanding mobility Comparing existing mobility protocols Generating and composing new mobility mechanisms BEYOND MOBILITY: FUTURE WORK

a b c

NETWORK MOBILITY IS . . .

. . . THE HOT THING it’s a mobile world devices move from one medium to another, as well as from place to place ubiquitous computing (under the new name “machine-to-machine”) is an area of enormous growth . . . VERY DIFFICULT TO IMPLEMENT AT INTERNET SCALE . . . A SOURCE OF CONFUSION the Internet has a hierarchical address space (partly geographical) the Internet scales because subtrees are address blocks, and address blocks are aggregates for routing mobility breaks the rules—an individual IP address moves to a place where it does not belong many dozens of proposals there is no sound basis for qualitative or quantitative evaluation of them they are not designed to be composed with one another despite the number of proposals, there are gaping holes in their coverage

“mobility”: a mobile device maintains network connectivity as it moves from place to place this is true, but not enough!

MOBILITY AND LAYERS

• ld

location new location higher endpoint lower endpoint service specification BENEFITING LAYER LAYER IMPLEMENTING MOBILITY persistent identifier layers explain the identity, credentials, and capabilities that are retained while something else changes also, the strongest definitions of mobility include continuity of a channel (instance of a communication service)—most such channels are inter-layer

A B b1 a BENEFITING LAYER LAYER IMPLEMENTING MOBILITY DYNAMIC- ROUTING MOBILITY

THERE ARE TWO PATTERNS FOR IMPLEMENTING MOBILITY

a1 this link connects a to the rest of its layer

A B b1 a a2 layer state components that change: attachments links routes BENEFITING LAYER LAYER IMPLEMENTING MOBILITY DYNAMIC- ROUTING MOBILITY as the attachment

• f a member

changes, its links change, and the routing algorithm must find new routes to it

THERE ARE TWO PATTERNS FOR IMPLEMENTING MOBILITY

new link imple- mented by this layer

• ld link

going away

A B b1 a a2 SESSION- LOCATION MOBILITY layer state components that change: attachments links routes BENEFITING LAYER LAYER IMPLEMENTING MOBILITY DYNAMIC- ROUTING MOBILITY as the attachment

• f a member

changes, its links change, and the routing algorithm must find new routes to it

THERE ARE TWO PATTERNS FOR IMPLEMENTING MOBILITY

as part of the session state, a knows b1 as the far endpoint of the session

A B b1 b2 a SESSION- LOCATION MOBILITY layer state components that change: layer state components that change: attachments links routes locations sessions BENEFITING LAYER LAYER IMPLEMENTING MOBILITY DYNAMIC- ROUTING MOBILITY as the attachment

• f a member

changes, its links change, and the routing algorithm must find new routes to it as the channel endpoint changes its location in the implementing layer, the session state changes to match it

THERE ARE TWO PATTERNS FOR IMPLEMENTING MOBILITY

a2 tell a that session endpoint is now at b2

OUTLINE

1 2 3

THE “GEOMORPHIC VIEW”: AN ABSTRACT MODEL OF NETWORK ARCHITECTURE

“

THE GEOMORPHIC VIEW OF MOBILITY Understanding mobility Comparing existing mobility protocols Generating and composing new mobility mechanisms BEYOND MOBILITY: FUTURE WORK

a b c

NO TUNNELS the only encapsulation is inter-layer encapsulation

EACH MOBILITY PROTOCOL HAS A UNIQUE DESCRIPTION

see “The design space of network mobility” routing in each layer can be described precisely ONE NAME SPACE PER LAYER . . . . . . regardless of whether it contains “identifiers,” “locators,” or “addresses” DYNAMIC-ROUTING MOBILITY SESSION-LOCATION MOBILITY A COMPOSITION OF BOTH PATTERNS Mobile IPv6 TCP Migrate HIP ILNP LISP Mobile Node Serval Ethernet LANs Ethernet overlays Mobile IPv4 MSM-IP

STRENGTHS AND WEAKNESSES OF THE PATTERNS

DYNAMIC-ROUTING MOBILITY SESSION-LOCATION MOBILITY Works well in a layer with a smaller scope and a flat name space—usually dynamic routing for mobility is no different from “normal” routing. Even when it is different from “normal” routing, it can often be implemented without endpoint involvement. In a larger layer with a hierarchical name space, costs for dynamic routing to individual members are high. How many routers know where to find a mobile member? if many, storage and update costs are high if few, path costs are high Strengths Strengths Weaknesses Weaknesses trade-

• ff

Low storage and update costs. No path costs. Requires endpoint involvement, so cannot be deployed without changing endpoint software.

EFFECTIVE COMPARISON

Different protocols for session-location mobility are superficially very similar. Because of the issue of endpoint involvement, one of the most valuable properties of a protocol is its ability to interoperate with legacy endpoints. note that, although 4 of them (HIP, ILNP, LISP Mobile Node, Mobile IPv6) are IETF standards, none of them ever refer to the

• thers!

Describing these protocols in geomorphic terms reveals clear differences in terms of layering, name spaces, and how they interact with normal routing. These differences make a big difference in how well these protocols interoperate. Evaluation for an AT&T task force revealed a clear winner. information from vendors is either too detailed or too vague, doesn’t help distinguish them

OUTLINE

1 2 3

THE “GEOMORPHIC VIEW”: AN ABSTRACT MODEL OF NETWORK ARCHITECTURE

“

THE GEOMORPHIC VIEW OF MOBILITY Understanding mobility Comparing existing mobility protocols Generating and composing new mobility mechanisms BEYOND MOBILITY: FUTURE WORK

a b c

THE DESIGN SPACE OF MOBILITY

1 m a1 a2 SLM SLM 1 2 m m’ a1 a2 DRM link link this instance of mobility could be moved up and implemented with a different pattern 1 2 m1 m2 m’ a1 a2 link

• r implemented with the
• riginal pattern at a

higher level In principle, with sufficient control

• f the layers, . . .

. . . a designer could choose to handle an episode of mobility with either pattern, . . . . . . at any level where the episode is definable or above. So there is a large design space, most of it unexplored.

work session

EXAMPLE: NEW DESIGNS FROM THE MOBILITY SPACE

appli- cation THE GOAL IS TO PROVIDE MOBILITY FOR THIS LAPTOP . . . . . . NOTING THAT SOMETIMES THE LAPTOP IS ON A BUS acts as a mobile router we want to avoid, e.g., . . . . . . solutions that require updates for every passenger when the bus moves . . . solutions that require an update for the bus when a passenger gets on or off

work session registration when laptop is

• n the bus

registration when laptop is elsewhere LAN on bus various LANs, including roadside WiFi bus company router port on bus LAN

EXAMPLE: NEW DESIGNS FROM THE MOBILITY SPACE

appli- cation layer implements SLM for laptop— active when laptop moves on and off bus, not when bus moves b00 b35 b30 layer implements DRM for bus—active when bus moves, does nothing with individual devices

• n bus

work session LAN on bus layer implements DRM for laptop— active when laptop moves on and off bus, not when bus moves route when laptop on bus route when laptop off bus layer implements SLM for bus—active when bus moves, does nothing with individual devices

• n bus

WAN, stacked on top of LANs

EXAMPLE: NEW DESIGNS FROM THE MOBILITY SPACE

appli- cation m00 m74 bus appears stationary in this layer

A B b1 b2 a a1’ a2’ SESSION- LOCATION MOBILITY BENEFITING LAYER LAYER IMPLEMENTING MOBILITY DYNAMIC- ROUTING MOBILITY

COMPOSITIONAL NETWORK MOBILITY

every mobility mechanism specializes one of these patterns,

• r is a composition of the two

in principle, every instance

• f mobility, at any level,

could be handled with either

• f these patterns—so

mobility mechanisms could be everywhere how do the mobility mechanisms compose across layer boundaries? how do implementations of both patterns in the same layer compose? related to fault-tolerance, we are working on this we have a proof that it works—there is no interference between the patterns!

AN ACTIVE IMPLEMENTED CHANNEL

c.initiator c.acceptor c in links c.userLayer locInit c.implLayer in attachments locAccpt in locations active active active c.initFarLoc = locAccpt c.accptFarLoc = locInit c in sessions reachable

MOBILITY COULD DESTROY REGISTRATIONS

AN INACTIVE IMPLEMENTED CHANNEL

c.initiator c.acceptor c in links c.userLayer newLocInit c.implLayer in attachments in locations active c.initFarLoc = locAccpt c in sessions MOBILITY COULD DESTROY OR INACTIVATE LINKS MOBILITY COULD CAUSE FAR LOCATIONS IN SESSION STATE TO BE WRONG MODEL IMPLEMENTS BOTH PATTERNS IN EVERY LAYER

MOBILITY COULD DESTROY REGISTRATIONS

HOW TO PROVE THAT MOBILITY ALWAYS WORKS

c.initiator c.acceptor c in links c.userLayer newLocInit c.implLayer in attachments in locations active c.initFarLoc = locAccpt c in sessions MOBILITY COULD DESTROY OR INACTIVATE LINKS MOBILITY COULD CAUSE FAR LOCATIONS IN SESSION STATE TO BE WRONG

We cannot assume that mobile devices and network elements will perform all the requisite actions (to prove a true progress property). Theorem: In any state in which an implemented link is inactive, some event is enabled whose execution will make progress toward making the link active (a safety property). Proof: Manual enumeration of necessary events and event sequences, automated checking of their preconditions with the Alloy Analyzer (verification over small domains). We do assume that a mobile machine can always become a member of a layer of its choice.

newLocAccpt

WHAT COULD GO WRONG?

c.initiator c.acceptor c in links c.userLayer newLocInit c.implLayer in attachments in locations c.initFarLoc = locAccpt c in sessions c.accptFarLoc = locInit both endpoints have moved both endpoints have the wrong far location neither can send an update message to the other

newLocAccpt

SOME EVENT SEQUENCES

c.initiator c.acceptor c in links newLocInit CreateRegistration UpdateDirectory UpdateFarLocFromDirectory UpdateFarLocFromEndpoint directory

1 2 3 4

in the double- handoff scenario, 1, 2, 3 and 1, 3, 2 do not work, but 1, 3, 4 does

OUTLINE

1 2 3

THE “GEOMORPHIC VIEW”: AN ABSTRACT MODEL OF NETWORK ARCHITECTURE

“

THE GEOMORPHIC VIEW OF MOBILITY Understanding mobility Comparing existing mobility protocols Generating and composing new mobility mechanisms BEYOND MOBILITY: FUTURE WORK

a b c

FUTURE WORK

REQUIREMENTS RELATED TO MOBILITY multihoming anycast fault-tolerant channels mobile subnetworks middleware to support abstract application names an especially interesting research topic: quantitative composition, i.e., determining how the performance properties of mobility mechanisms compose when the mechanisms compose NEXT UP: DOMAINS layers decompose a network horizontally (mostly) and vertically D1 D2 D3 domains decompose a network vertically domains are related to: trust security middleboxes interoperation and probably many other important requirements

THOUGHTS ON SDN

WHAT I OBSERVE repertoire of “properties to prove” is a bit boring many conflicting requirements (from different stakeholders), with little help in resolving the conflicts serious complexity problems in all aspects: modeling networks, expressing desired properties, deciding properties “tunneling makes the state explode” WHAT NICK McKEOWN SAID One of the three major benefits of SDN is a well-defined control abstraction that can be implemented separately from the forwarding plane . . . . . . so that software engineering can be applied to this implementation. WHAT IS SOFTWARE ENGINEERING? Above all, software engineering is about . . . . . . modularity . . . separation of concerns, which is what you get from layers in the geomorphic view. It can help you . . . . . . develop re-usable theories that apply at many levels for many different purposes . . . understand where the requirements come from and how conflicts should be resolved . . . manage complexity . . . extend SDN beyond the most basic aspects of networking . . . know when it is safe to optimize.

REFERENCES

John Day, Patterns in Network Architecture, Prentice Hall, 2008

www2.research.att.com/~pamela

Pamela Zave and Jennifer Rexford, "Compositional network mobility,” 5th Working Conference on Verified Software: Theories, Tools, and Experiments, Springer-Verlag LNCS to appear, 2013 Pamela Zave and Jennifer Rexford, "The design space of network mobility," Recent Advances in Networking, Olivier Bonaventure and Hamed Haddadi, editors, ACM SIGCOMM electronic textbook to appear, 2013 Jennifer Rexford and Pamela Zave, “Report of the DIMACS Working Group on Abstractions for Network Services, Architecture, and Implementation," ACM SIGCOMM Computer Communications Review, January 2013 the original inspiration for the geomorphic view first look at abstractions by the networking community tutorial and survey on mobility verification of the compositionality theorem